[PATCH] Fix use-after-free with log and quotas

[PATCH] Fix use-after-free with log and quotas

[Lachlan McIlroy]

Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
xfs_log_move_tail().  By this time the log has already been destroyed.
Just move the cleanup of the quota code earlier in xfs_unmountfs() before
the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
XFS_QM_DQPURGEALL() seems like a good spot.

--- a/fs/xfs/xfs_mount.c	2008-09-12 18:24:09.000000000 +1000
+++ b/fs/xfs/xfs_mount.c	2008-09-12 18:31:22.000000000 +1000
@@ -1245,6 +1245,9 @@ xfs_unmountfs(
 
 	XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING);
 
+	if (mp->m_quotainfo)
+		XFS_QM_DONE(mp);
+
 	/*
 	 * Flush out the log synchronously so that we know for sure
 	 * that nothing is pinned.  This is important because bflush()
@@ -1297,8 +1300,6 @@ xfs_unmountfs(
 	xfs_errortag_clearall(mp, 0);
 #endif
 	xfs_free_perag(mp);
-	if (mp->m_quotainfo)
-		XFS_QM_DONE(mp);
 }
 
 STATIC void

Re: [PATCH] Fix use-after-free with log and quotas

[Christoph Hellwig]

On Fri, Sep 12, 2008 at 06:41:07PM +1000, Lachlan McIlroy wrote:
> Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
> ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
> xfs_log_move_tail().  By this time the log has already been destroyed.
> Just move the cleanup of the quota code earlier in xfs_unmountfs() before
> the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
> XFS_QM_DQPURGEALL() seems like a good spot.

Yeah, I have something like this in my large mount/unmount audit.

Looks good, and I have to rebase all the other changes anyway.

Re: [PATCH] Fix use-after-free with log and quotas

[Dave Chinner]

On Fri, Sep 12, 2008 at 06:41:07PM +1000, Lachlan McIlroy wrote:
> Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
> ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
> xfs_log_move_tail().  By this time the log has already been destroyed.
> Just move the cleanup of the quota code earlier in xfs_unmountfs() before
> the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
> XFS_QM_DQPURGEALL() seems like a good spot.

FWIW, has this been actually seen in the real world?

xfs_trans_unlocked_item() only does stuff if the log item is in the
AIL. If we've already destroyed the log, then we should have already
torn down the AIL and there should be no log items in the system
that are in the AIL....

What am I missing here?

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

Re: [PATCH] Fix use-after-free with log and quotas

[Lachlan McIlroy]

Dave Chinner wrote:
> On Fri, Sep 12, 2008 at 06:41:07PM +1000, Lachlan McIlroy wrote:
>> Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
>> ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
>> xfs_log_move_tail().  By this time the log has already been destroyed.
>> Just move the cleanup of the quota code earlier in xfs_unmountfs() before
>> the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
>> XFS_QM_DQPURGEALL() seems like a good spot.
> 
> FWIW, has this been actually seen in the real world?
Yes.  And easy to reproduce too.

> 
> xfs_trans_unlocked_item() only does stuff if the log item is in the
> AIL. If we've already destroyed the log, then we should have already
> torn down the AIL and there should be no log items in the system
> that are in the AIL....
That should be the case but clearly not happening.  Pete is investigating
an issue right now where a dquot is not getting removed from the AIL when
it should.  Until we've got to the bottom of that problem I'd prefer to at
least avoid this use after free issue.

Re: [PATCH] Fix use-after-free with log and quotas

[Dave Chinner]

On Mon, Sep 15, 2008 at 12:40:04PM +1000, Lachlan McIlroy wrote:
> Dave Chinner wrote:
>> On Fri, Sep 12, 2008 at 06:41:07PM +1000, Lachlan McIlroy wrote:
>>> Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
>>> ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
>>> xfs_log_move_tail().  By this time the log has already been destroyed.
>>> Just move the cleanup of the quota code earlier in xfs_unmountfs() before
>>> the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
>>> XFS_QM_DQPURGEALL() seems like a good spot.
>>
>> FWIW, has this been actually seen in the real world?
> Yes.  And easy to reproduce too.

Care to provide details about the test case, then? I can't help if
you keep me in the dark....

>> torn down the AIL and there should be no log items in the system
>> that are in the AIL....
> That should be the case but clearly not happening.  Pete is investigating
> an issue right now where a dquot is not getting removed from the AIL when
> it should.  Until we've got to the bottom of that problem I'd prefer to at
> least avoid this use after free issue.

No point in putting a bandaid in if you're already in the process of
trying to find the real cause....

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

Re: [PATCH] Fix use-after-free with log and quotas

[Lachlan McIlroy]

Dave Chinner wrote:
> On Mon, Sep 15, 2008 at 12:40:04PM +1000, Lachlan McIlroy wrote:
>> Dave Chinner wrote:
>>> On Fri, Sep 12, 2008 at 06:41:07PM +1000, Lachlan McIlroy wrote:
>>>> Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE()
>>>> ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then
>>>> xfs_log_move_tail().  By this time the log has already been destroyed.
>>>> Just move the cleanup of the quota code earlier in xfs_unmountfs() before
>>>> the call to xfs_log_unmount().  Moving XFS_QM_DONE() up near
>>>> XFS_QM_DQPURGEALL() seems like a good spot.
>>> FWIW, has this been actually seen in the real world?
>> Yes.  And easy to reproduce too.
> 
> Care to provide details about the test case, then? I can't help if
> you keep me in the dark....
XFSQA test 083 hits this almost every run when quotas are enabled.

> 
>>> torn down the AIL and there should be no log items in the system
>>> that are in the AIL....
>> That should be the case but clearly not happening.  Pete is investigating
>> an issue right now where a dquot is not getting removed from the AIL when
>> it should.  Until we've got to the bottom of that problem I'd prefer to at
>> least avoid this use after free issue.
> 
> No point in putting a bandaid in if you're already in the process of
> trying to find the real cause....
It's not a band-aid - it's a perfectly valid change to make.  We don't
know if this other problem is related nor do we know if it will fix this
use-after-free either.  There's no reason to let other people hit this
panic if we can avoid it.